AD  P001300 


Privacy  Act  and  the  Data  Base:  Laplenentatlon  of  the  Privacy  Act 


Wlllian  B.  Camn,  Staff  Assistant  for  Tests,  Technical  Information  Division, 
US  Army  Research  Institute  for  the  Behavioral  and  Social  Sciences, 
\  Alexandria,  Virginia  22333 


The  legal  constraints  of  the  Privacy  Act  and  the  Increased  legislative 
pressure  to  handle  greater  amounts  of  personal  data  faster  and  better 
pose  many  new  probleas  for  social  science  resesrch  In  the  US  Government. 
The  Imnedlate,  Intermediate,  and  long-range  solutions  to  the  dilemma  can  be 
achieved  through  the  development  of  a  precautionary,  systematic  set  of 
collection  and  storage  procedures;  full  use  of  comprehensive  data  bases; 
and  the  Insulation  of  each  contributing  set  of  data* 


This  paper  Is  offered  as  a  contribution  to  the  current  discussion 
on  the  legal  constraints  of  the  Privacy  Act  of  1974  (P.  L.  93-579)  on  the 
pressing  requirement  that  the  Department  of  Defense  handle  greater  amounts 
of  complex  personnel  research  data  faster,  better,  and  at  minimal  cost. 
The  mandate  to  minimize  the  cost  of  collecting,  maintaining,  and  using 
personal  data  and,  at  the  same  time,  maximize  the  utility  of  the  collected 
data  Is  articulated  in  the  Paperwork  Reduction  Act  of  1980  (P.  L.  96-511). 
The  act  became  effective  1  April  1981. 

The  technology  capable  of  cogent  management  of  information  resources 
is  here,  and  we  already  know  quite  a  bit  about  how  to  apply  it  in  terms  of 
cutting  costs,  enhancing  usefulness,  coordinating  and  sharing  common 
procedures,  and  Improving  service  to  management  and  the  user. 

The  problem,  however.  Is  to  Insure  that  the  collection,  maintenance, 
use,  and  dissemination  of  personal  data  and  Information  are  consistent 
with  the  Privacy  Act.  The  restrictions  and  limitations  Imposed  by  the 
Privacy  Act  loom  large  as  a  potential  hindrance  to  effective  Information 
resource  management  in  terms  of  information  control,  resource  contralnts, 
cost  of  data,  added  hardware,  and  special  computer  programs.  To  date, 
neither  the  impact  of  the  new  wave  of  Information  resource  management  on 
the  Privacy  Act  nor  the  constraints  of  the  Privacy  Act  on  the  Paperwork 
Reduction  Act  has  been  sorted  out.  The  Office  of  Management  and  Budget 
(0MB)  has  been  assigned  the  responsibility  for  providing  overall  direction 
In  the  development  and  Implementation  of  policies,  principles,  standards, 
and  guidelines  In  all  areas  of  P.  L.  96-511.  Privacy  Act  enhancement  Is  on 
the  0MB  agenda  for  April  1983. 

All  Federal  agencies  are  moving  ahead  with  their  own  Interpretation 
of  P.  L.  96-511  with  the  expectation  that  the  resulting  Implementation  will 
be  found  acceptable.  The  Office  of  the  Assistant  Secretary  of  Defense, 
Information  Control  Division,  has  established  DOD-wlde  policy  to  Insure 
compliance  with  P.  L.  96-511.  The  Army  has  established  an  Information 
Management  Office  under  the  Office  of  the  Chief  of  Staff  to  define,  de¬ 
velop,  and  manage  the  Army  information  resources  program. 

Organizations  that  deal  with  personal  Information  have  reached  informal 
agreements  on  most  aspects  of  the  program  but  have  avoided  special  problems 
with  regard  to  processing  and  maintaining  personal  data --especially  with 
the  concept  of  an  Integrated  data  base.  Nevertheless,  the  problems  of 
effective  Information  resource  management  and  protection  of  Individual 
privacy  are  quite  real  and  very  pressing  and  cannot  be  Ignored. 


THE  PRIVACY  ACT 

The  Privacy  Act  is  Imposed  on  executive  departments,  military  depart¬ 
ments,  Government  and  Government -controlled  corporations,  other  establish¬ 
ments  In  the  executive  branch  including  the  Office  of  the  President,  and 
Independent  regulatory  agencies.  Congress  and  its  agencies  (e.g.,  GAO)  are 
exempt.  So  are  Federal  Courts.  It  limits  the  manner  in  which  they  col¬ 
lect,  use  and  disclose  information  about  people.  The  act  was  codified  as  5 
use  552a  in  1976.  The  act  gives  the  individual  the  right  to  be  protected 


260 


against  the  power  of  officials  with  access  to  data  banks.  There  are  three 
related  aspects  to  the  Privacy  Act  rights: 

Personal  autonomy—»the  right  to  oake  a  choice  about  personal  be¬ 
havior  and  lifestyle. 

Freedon  froa  outside  interference--the  right  to  be  left  alone. 

Protection  of  private  information- -the  right  to  control  where  and 
how  infonaation  about  oneself  is  cononinicated  to  others. 

This  portion  of  the  paper  focuses  on  the  third  point,  control  and  pro¬ 
tection  of  personal  infonaation. 

Since  1965,  personal  privacy  has  become  an  Imnportant  social  value, 
covered  under  tort  laws,  in  the  United  States.  Privacy  is  related  to 
personal  freedom  and,  although  rights  of  privacy  are  not  expressly  men¬ 
tioned  in  the  Constitution,  is  supported  by  the  Supreme  Court's  language 
used  in  most  of  its  Important  decisions.  The  constitutional  aaMndments 
most  commonly  cited  in  this  regard  by  the  Supreme  Court  are  the  first, 
third,  fourth,  fifth,  ninth,  and  fourteenth. 

In  1976,  an  Inventory  of  Federal  data  systems  revealed  that  97  agencies 
had  a  total  of  7,000  records  systems  containing  nearly  4  billion  dossiers. 
The  Department  of  Defense  alone  had  2,219  systems  with  321  million  dif¬ 
ferent  names  and  records  (0MB,  1976).  Most  of  the  records  systems  at 
that  time  were  not  a  matter  of  public  record.  The  Privacy  Act  prohibits 
secret  files  and  further  states  that  individuals  should  be  able  to  find  out 
what  information  about  them  is  contained  in  Federal  records  and  how  that 
information  is  used.  For  example,  a  person  is  able  to  prevent  personal 
information  that  was  given  for  one  specific  purpose  froa  being  used  for 
another  purpose  without  his  or  her  consent.  Provisions  will  be  made  for 
the  individ\ial  to  correct  and  amend  personal  records  in  possession  of  the 
government* 

Government  agencies  handling  identifiable  personal  data  should  show 
that  such  data  arc  reliable  and  current  and  take  positive  steps  to  prevent 
their  misuse.  Collected  data  should  also  be  safeguarded  and  securely 
stored  if  they  contain  identifiable  Information.  For  research  use,  the 
connection  between  the  names  and  data  should  be  destroyed  when  no  longer 
needed.  Code  numbers  and  code  words  can  be  used  if  several  sets  of  data 
are  collected  on  the  same  person.  A  number  of  methods  for  storing  personal 
data  are  described  in  the  literature  (Boruch,  1971a,  b).  If  knowledge  of 
Illegal  activities  is  requested,  anonymity  should  be  guaranteed  so  that  the 
data  cannot  be  subpoenaed  in  legal  proceedings.  Insulated  data  banks  might 
be  considered.  Research  data  are  not  automatically  privileged  Information. 
There  are  a  few  exceptions,  such  as  data  regarding  drug  research.  Congress 
and  courts  may,  and  often  do,  subpoena  such  data. 

The  success  of  the  Privacy  Act  is  hard  to  measure  objectively.  The 
enforcement  of  data  protection  regulations  and  the  supervision  and  control 
of  the  collection  and  storage  of  information  about  individuals  depend, 
for  the  most  part,  on  the  good  faith  of  the  agencies  and  legal  action  by 
Individuals.  Congress  believed  that  self -regulation  was  the  best  initial 


method  for  control  because  it  eliminated  the  need  for  an  additional  govern* 
meat  agency  and,  at  the  same  time,  would  aid  the  necessary  advance  in  the 
technology  of  information  collection  and  storage.  Control  agencies  were 
not  to  be  considered  unless  the  agencies  themselves  proved  that  self¬ 
regulation  had  failed.  The  potential  for  frustration  of  the  law  is  so 
great  that  the  Privacy  Protection  Study  Commission  (1971)  recommended  that 
the  Privacy  Act  be  broadened  to  Include  all  items  that  an  agency  can 
readily  identify  in  all  of  its  systems  to  Insure  compliance  with  the 
Privacy  Act.  So  far,  Congress  has  not  implemented  the  Commission's 
recommendation. 

Violations  of  the  Privacy  Act  are  misdemeanors  subject  to  a  maximum 
fine  of  $5,000.  Unlike  damage  actions  brought  against  an  agency,  criminal 
penalities  are  Imposed  on  the  person  who  committed  the  crime.  The  punish¬ 
ment,  if  there  Is  a  conviction,  is  applied  to  any 

Agency  officer  or  employee  who  knowingly  or  willfully  makes  im¬ 
proper  disclosures  of  Information  pertaining  to  an  Individual. 

Agency  officer  or  employee  who  willfully  maintains  records  %d.thout 
meeting  Notice  Requirements  Requests  (l.e.,  maintains  a  secret 
system  of  records). 

Person  who  knowingly  and  willfully  requests  or  obtains  Individual 
records  from  an  agency  under  false  pretenses. 

If  the  court  finds  that  an  agency  (Its  officers  or  employees)  acted  In 
an  Intentional  or  willful  manner,  the  complainant  may  receive  actual 
damages  ($1,000  minimum).  But  It  Is  difficult,  In  most  cases,  for  the 
complainant  to  show  proof  of  Intentional  and  willful  agency  misconduct. 
The  complainant  must  also  show  that  the  conduct  was  greater  than  "gross 
negligence";  "ordinary  negligence"  on  the  part  of  the  agency  does  not  meet 
requirements  of  the  law  as  It  Is  written.  In  addition,  the  complainant 
must  also  prove  actual  damages  by  establishing  that  the  agency's  action  had 
a  direct  adverse  Impact  upon  him  or  her.  Finally,  If  the  Individual 
wins,  the  U.S.  Treasury  (not  the  agency  or  Its  members)  Is  liable  for  the 
actual  damages,  court  costs,  and  attorney  fees.  This  situation  tends  to 
dampen  the  dnterrent  effect  that  civil  actions  may  have  upon  data  col¬ 
lection  practices  of  agencies  (Bushkin  &  Schaen,  1975). 


THE  DATA  BASE 

A  data  base  may  be  viewed  as  a  digital  computer  version  of  a  manual 
file  system.  The  manual  file  system  comprises  file  folders  Identified  by  a 
name  or  number.  The  computer  file  consists  of  records,  each  Identified  by 
a  primary  key  and  secondary  keys,  for  example,  name,  age,  rank,  and  Social 
Security  number.  At  this  point,  the  computerized  record  system  departs 
from  the  manual  system.  Access  to  the  Items  In  the  computerized  system  can 
be  made  through  the  primary  or  any  secondary  key,  or  through  any  other 
indicator  In  the  Individual  record.  Users  of  computerized  records  systems 
are  often  In  remote  locations,  and  restrictions,  like  code  names  for  the 
primary  key  or  Identification  tab  of  a  single  system,  no  longer  exist. 


262 


The  recent  trend,  under  the  Impetus  of  the  Paperwork  Reduction  Act,  Is 
toward  integrated  data  bases  where  a  collection  of  data  or  records  Is 
linked  together  using  a  common  Identification  key.  The  reason  for  the 
Innovation  Is  related  to  a  greater  need  for  Individualized  Information  and 
a  growing  proficiency  In  processing  and  Interpreting  data.  Also,  as 
expected,  data  collected  for  one  purpose  Is  frequently  useful  for  related 
purposes. 

At  this  point,  the  distinction  between  records  that  relate  to  Indi¬ 
viduals  for  the  purpose  of  taking  some  sort  of  action  concerning  that 
Individual  and  records  that  are  collected  and  maintained  for  the  purpose  of 
planning  and  policy  decisions  should  be  made.  The  former.  In  the  strict 
sense.  Is  termed  a  system  of  records;  the  latter  Is  statistical  record. 
However,  most  records  are  mixed,  and  it  Is  rare  to  find  a  true  statistical 
record  In  either  Government  or  academic  research.  A  true  statistical  data 
base  cannot  contain  Information  that  can  be  related  to  an  Identified  Indi¬ 
vidual,  and  no  Individual  contributing  to  the  data  base  should  be  Identi¬ 
fied  with  It.^.  The  Army  Research  Institute  for  the  Behavioral  and 
Social  Sciences  (ARl)  collects  and  maintains  systems  of  records  until  such 
time  as  the  data  are  edited,  coded,  stripped  of  the  personal  Identifi¬ 
cation,  and  entered  Into  the  data  base.  The  ARI  Systems  Notice  (ARI,  1980) 
covers,  at  this  writing,  all  ARI  systems  of  records  of  the  moment  and  the 
future,  provided  the  data  collection  effort  remains  within  the  operational 
confines  of  the  public  notice.  If  a  new  and  different  system  of  records  is 
contemplated,  then  an  additional  notice,  or  modification  of  the  current 
notice,  will  be  required.  The  new  notice  must  be  published  In  the  Federal 
Register  at  least  90  days  prior  to  any  data  collection  for  the  new  system 
of  records. 


DATA  COLUECTION  AND  STORAGE  PROCEDURES 

The  procedure  Involved  from  the  start  of  the  data  gathering  through  the 
final  destruction  of  the  system  of  records  (l.e.,  removal  of  personal 
Identifiers)  and  the  publication  of  the  results  for  the  various  users  may 
theoretically  be  compromised  at  a  number  of  points  during  the  collection, 
transmission,  storage,  and  processing  of  the  data.  Nine  arbitrary  points 
are  conceptualized  here  for  the  purpose  of  Illustration  In  Figure  1. 

The  data  collection  point  1  surveys,  questionnaires,  tests.  Inter¬ 
views,  or  ratings  Is  obvious  and  frequently  overlooked  despite  the  Privacy 
Act  Statement  at  that  point  stating  that  "Full  confidentiality  of  the 
responses  will  be  maintained  In  the  processing  of  the  data.  ..."  (DA  Form 
4368-R).  The  Privacy  Act  requires  that  all  agencies  involved  In  data 
collection— in  the  development  of  a  data  base  there  may  be  several --provide 


^Insofar  as  the  Privacy  Act  Is  concerned,  however,  the  only  operative 
criterion  Is  whether  or  not  the  agency  does  In  practice  retrieve  the 
information  by  reference  to  some  personal  Identifier. 


appropriate  administrative,  technical,  and  physical  safeguards.  The  common 
threat  to  personal  information  at  point  1  Is  the  person  who  is  authorized 
to  have  access  to  the  information  for  one  purpose  but  who  misuses  that  same 
Information  for  an  unauthorized  purpose.  The  entire  data  collection 
operation,  if  possible,  should  remain  under  a  single  work  group.  It 
Is  tempting  for  the  researcher  to  ignore  most  of  the  problems  at  point  1 
and  go  on  to  the  second  potential  compromise  point  (transmission).  The 
personal  Information  Is  easiest  to  protect  in  the  computer-based  area. 
The  transmission  of  the  data  (point  2)  may  be  by  messenger,  mall,  tele¬ 
phone,  or  microwave  and  Is  subject  to  compromise  during  transmission  and 
upon  receipt.  Any  privacy  compromise  here  Is  seldom  Intended  and  is  most 
likely  the  result  of  careless  handling.  Security  compromise  during  trans¬ 
mission  Is  not  specifically  treated  In  this  paper.  The  editing  and  coding 
process  (point  3)  Is  the  first  step  In  preparing  the  data  for  the  computer 
and  Is  the  time  to  check  for  accuracy,  relevance,  timeliness,  and  complete¬ 
ness.  It  Is  also  a  good  time  to  remove  the  personal  Identification  In 
preparation  for  linkage  with  additional  Information  In  the  Integrated  data 
base  unless  that  linkage  Is  necessary  for  the  subsequent  interpretation  of 
the  data.  Data  transmission  (point  4)  to  the  computer  area  Is  usually  less 
of  a  risk  than  point  2.  However,  the  Information  must  be  checked,  edited, 
and  sorted  and  may  easily  be  Identified  by  resourceful  people.  Points  5, 
6,  and  7  Involve  checking  the  processing  of  the  data  being  edited  and 
stored.  During  format  checks  of  tables,  graphs,  and  the  like,  careless 
handling  may  result  In  compromise.  Error  listings  are  another  source  of 
compromise  at  this  point.  The  location  of  each  Item  of  Information  should 
be  recorded  and  confined  to  the  computer  area;  extraneous  data  should  be 
destroyed  when  no  longer  useful.  Finally,  point  8  Is  transmission  of  the 
data  (the  report)  to  the  user,  point  9.  Exploitation  can  occur  when  common 
and  unique  properties  of  Individuals  are  displayed  In  the  reports.  It  Is 
then  a  simple  matter  to  sort,  count,  and  Identify  individuals  and/or  groups 
from  the  final  report.  For  example,  tabulation  of  results  may  yield  grade 
level,  age,  sex,  location,  and  other  properties  that  with  cross-tabu¬ 
lations  Identify  Individuals  and/or  groups* 


1.  Data  Collection  6. 

2.  Data  Transmission  7. 

3.  Editing  and  Coding  8. 

4.  Data  Transmission  9. 

5.  Data  Preparation 


Computer  Processing  and  Storage 
Tabulation  and  Display  of  Results 
Data  Transmission 
Report:  The  results  to  user 


Figure  1.  Flow  from  personnel  Information  Initial  collection  to  statistical 
record  to  final  report.  Numbers  represent  potential  compromise 
points. 


264 


In  practlcs,  the  situation  Is  more  complicated.  Longitudinal  studies 
which  Involve  collecting  and  maintaining  Information  over  a  period  of  time 
may  present  problems.  A  statistical  data  base  of  this  sort  needs  an 
Insulated  method  of  linking  recent  data  with  data  already  stored.  To 
complicate  natters,  a  secondary  user  or  users  are  often  Involved.  And  most 
problems  arlse->at  least  Insofar  as  privacy  safeguards  are  concerned* -when 
the  primary  user  establishes  the  data  base  for  administrative  purposes  and 
the  secondary  user  Is  more  Interested  In  research,  or  vice  versa.  Often, 
there  is  no  relationship  of  purpose  between  the  records  system  of  one  user 
and  the  established  data  base  of  another. 


PRIVACY  SAFEGUARDS 

Privacy  safeguards  for  data  bases  arc  similar  to  those  required  for 
most  records  systems.  Certain  data  bases,  for  example  those  concerned  with 
current  sensitive  Issues,  such  as  medical  histories,  performance  by  ethnic 
groups.  Illegal  actions  or  country  of  origin  (Barnes,  1979),  are  subject  to 
Intentional  Invasion  for  several  reasons  by  Individuals  whose  Interests 
range  from  apprehension  concerning  possible  misuse,  real  or  Imagined,  of 
the  information  contained  In  the  data  base  to  Intelligence-gathering 
activities  of  foreign  governments.  Added  precautions  might  be  considered. 

For  example,  the  data  from  MILPERCEK's  proposed  data  base  are  coded 
with  a  cryptographic  code  known  only  to  MILPERCEN.  The  coded  data  plus 
Identifying  Information  are  sent  to  ARI  to  merge  with  ASVAB  data,  which  Is 
also  coded  using  the  Identifying  Information  to  link  with  the  MILPERCEN 
record  (Figure  2).  The  Identification  is  then  deleted.  The  merged  file  Is 
given  to  ARI's  Personnel  Utilisation  Technical  Area.  MILPERCEN  cannot 
obtain  anything  other  than  their  own  data  from  the  file,  and  ARI  cannot 
meaningfully  identify  data  from  MILPERCEN  but  will  have  the  necessary 
Information  for  a  validation  of  ASVAB.  The  same  scheme  can  be  used  In 
longitudinal  studies  with  different  Independent  groups.  The  code  linkage 
can  cither  be  destroyed  or  stored  In  a  safe  place  beyond  the  reach  of  all 
but  extraordinary  requests. 

Assuming  reasonable  precaution  In  data  collection,  maintenance,  stor¬ 
age,  and  reporting,  the  Insulated  data  base  with  Its  disposable  code  links 
and  the  resulting  statistical  record  will  easily  meet  future  requirements 
for  privacy  protection  of  ARI  Integrated  data  bases.  There  are  many  other 
effective  methods  to  Insulate  and  link  record  systems.  There  Is  no  one 
beat  way  to  protect  personal  Information.  The  point  Is  that  such  protec¬ 
tion  can  and  should  be  provided. 


265 


1.  MILPERCEN  Data --Coded 

2.  Data  Transmission 

3.  ARI  ASVAB  Data --Coded 
A.  Data  Transmission 

5«  Merge  Data--Edlt  and  Match 
Codes 

6.  Data  Transmission  of  All 
Coded  and  Merged  Data 


The  Data  Base--Statlstical 
Records  only 

Transmission  of  Cryptographic 
Key 

Safe  Storage  of  Code  Key 


Figure  2*  Schematic  flow  and  proposed  development  of  one  insulated  data 


Army  Research  Institute.  ARl  Systems  Notice.  A1306.01  DAPE.  Federal 
Register.  45FR  No.  223,  75736.  Nov.  17,  1980. 

Barnes,  J.  A.  Who  Should  Know  What?  Cambridge,  England:  Cambridge 
University  Press,  1979. 

Boruch,  R.  F.  Assuring  confidentiality  of  responaes  In  social  research: 

A  note  on  strategies.  American  Sociologist,  1971a,  ^  308-311. 

Boruch,  R.  F.  Maintaining  confidentiality  of  data  In  education  research: 

A  syatematlc  analysis.  American  Psychologist.  1971b,  413-430. 

Bushkln,  A.  A.,  &  Schaen,  S.  I.  The  Privacy  Act  of  1974.  McLean,  Va.,: 
System  Development  Corporation,  1975. 

Office  of  Management  and  Budget.  The  first  annual  report  to  the  President 
for  CY  1975.  Washington,  D.C.:  U.S.  Government  Printing  Office,  19^6. 

Privacy  Protection  Commission.  Personal  privacy  In  an  Information  society. 
Washington,  D.C.:  U.S.  Govement  Printing  Office,  1971. 


